{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/alaqsl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["n8n","rce","alaqsl","injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical remote code execution vulnerability has been identified in n8n, a popular workflow automation tool. Specifically, the vulnerability resides within the Merge node\u0026rsquo;s \u0026ldquo;Combine by SQL\u0026rdquo; mode. Versions of n8n prior to 2.14.1, 2.13.3, and 1.123.27 are affected. An authenticated user with the ability to create or modify workflows can leverage the AlaSQL sandbox\u0026rsquo;s insufficient input sanitization to inject malicious SQL code. This allows the attacker to potentially read arbitrary local files from the n8n host or execute arbitrary commands, leading to full system compromise. This vulnerability poses a significant risk to organizations using n8n, as it allows attackers to gain unauthorized access and control over their systems and data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the n8n instance with user account having workflow creation/modification permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies an existing workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a Merge node to the workflow and sets its mode to \u0026ldquo;Combine by SQL\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SQL query within the Merge node\u0026rsquo;s SQL configuration, taking advantage of insufficient input validation in the AlaSQL sandbox. The SQL query may attempt to read sensitive files from the file system, for example, \u003ccode\u003e/etc/passwd\u003c/code\u003e or application configuration files.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query executes when the workflow is triggered, potentially reading files from the n8n server.\u003c/li\u003e\n\u003cli\u003eAlternatively, the malicious SQL query could execute commands via the \u003ccode\u003eSYSTEM\u003c/code\u003e function or other methods available through AlaSQL, leading to remote code execution on the n8n host.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains control of the n8n process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised n8n instance to pivot to other systems on the network, steal sensitive data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to complete system compromise, including the ability to steal sensitive data, install malware, or disrupt services. The number of affected n8n instances is currently unknown, but given the popularity of the platform in various sectors, the potential impact is widespread. Organizations using vulnerable versions of n8n are at high risk of data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.14.1, 2.13.3, 1.123.27 or later to patch CVE-2026-33660.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, limit workflow creation and editing permissions to only fully trusted users as a short-term mitigation (reference Overview).\u003c/li\u003e\n\u003cli\u003eAs an alternative temporary workaround, disable the Merge node by adding \u003ccode\u003en8n-nodes-base.merge\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable (reference Overview).\u003c/li\u003e\n\u003cli\u003eMonitor n8n application logs for suspicious SQL queries or other anomalous activity originating from the Merge node (create custom detection logic based on observed AlaSQL activity).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-n8n-rce/","summary":"An authenticated user with workflow creation/modification permissions can exploit insufficient restrictions in the n8n Merge node's AlaSQL sandbox to achieve remote code execution by reading local files or executing commands on the n8n host.","title":"n8n Merge Node AlaSQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-n8n-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Alaqsl","version":"https://jsonfeed.org/version/1.1"}